RE: Signatures taking down network

["Mike Barkett" <mbarkett () nfr com>]

David -

I'll throw the NFR hat in the ring.  In this case, my opinions ARE
reflective of my employer's, and some product plugging does need to be done.
:)

First, check with your 3com/TP rep to make sure you have all the updates and
everything is configured properly.  This is a nightmare scenario for any IPS
vendor, and TP has already gotten a lot of bad press to which I believe they
have adequately responded.

Second, this underscores the value of a truly hybrid approach (stateful sigs
fused with protocol anomaly detection) for two reasons: 
        
        1) Products that utilize true "0-day" type prevention require less
updates.  Not zero updates, but less.  The WMF example is already played
out, so I will use another recent one.  The "Qualcomm WorldMail IMAP Server
String Literal Processing Overflow Vulnerability" came out some time around
12/20/05.  NFR Sentivist detected and prevented this by default.  No
signature update required.  A less advanced system may have required another
sig, which could have meant another opportunity for a bug.

        2) A vendor with an engine like NFR's has to scramble much less than
one that must go into reaction mode.  Your question about QA applies here.
If a vendor releases a sig based on a vulnerability, well before a proof of
concept exists, then they have a little more breathing room to QA it
properly.  With the WMF bug (sorry), we saw a negative patch gap; that is, a
public exploit was released well before the OS was patched.  This meant
that, from the very beginning, the average Joe IT Guy was in a race with the
average Joe Script Kiddie, and the script kiddie got a head start.  It also
meant bad news for any reactive IPS vendors that needed to accelerate their
QA processes in order to continue protecting their customers.

Just one vendor's $0.02...

-MAB

--
(nfr)(security)
Michael A Barkett, CISSP
Vice President, Systems Engineering
(www.nfr.com) +1.240.632.9000 Fax: +1.240.747.3512


-----Original Message-----
From: David Williams [mailto:dwilliamsd () gmail com] 
Sent: Saturday, January 14, 2006 9:04 AM
To: focus-ids () securityfocus com
Subject: Signatures taking down network

I'm evaluating a Tipping Point box and after gettting the latest
signatures I'm having problems with the box "crashing".  My goal is
not to bash Tipping Point, but instead to gather information on how
often people have seen this type of thing among IPS boxes.

Is there a trend with vendors to roll out signatures as fast as
possible without proper QA?  This brings up a lot of questions about
deploying IPS.  I want two opposite things from my vendors:  1) I want
the latest signatures super fast.  2)  I want proper QA so that it
doesn't bring down my network.  I realize those two things are
contradictory, but I thought I'd throw it out there to see if anybody
had any thoughts.

thanks,

d

------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it 
with real-world attacks from CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 
to learn more.
------------------------------------------------------------------------


------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it 
with real-world attacks from CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 
to learn more.
------------------------------------------------------------------------